UK company, Office Holdings Ltd, enters into undertaking after data breach
January 21, 2015 |
The UK information Commissioner’s Office has entered into an undertaking with the shoe retailer Office as a result of a data breach through a hacking attack of Officer’s website. This resulted in data of over a million customers being exposed. The breach exposed poor data security practices including unencrypted data base, a patchy record of penetration testing, a deficient privacy policy and poor staff training. As is common with data breaches investigated by UK and US authorities an investigation of one privacy breach, such as inadequate cyber security protection gives rise to a raft of other deficiencies such as retention of data long after it is required, poor training, no or inadequate penetration testing etc… The poor data practices then become public in the contents of an undertaking or monetary penalty notice. This has reputational consequences.
It will be interesting to see how the Privacy Commissioner approaches the use of undertakings and civil penalty proceedings. So far he has opted for the (very) softly softly approach.
The ICO media statement provides:
The ICO has warned high street and online shoe retailer Office after the personal data of over one million customers was left exposed due to a hacking incident.
The hacker managed to gain the potential to access customers’ contact details and website passwords via an unencrypted database that was due to be decommissioned. The hacker bypassed other technical measures the company had put in place and the incident went undetected.
Office has signed an undertaking to ensure issues around the data breach are resolved.
Sally-Anne Poole, Group Manager at the Information Commissioner’s Office said:
“The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data.
“All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required.”
“Fortunately, in this case there is no evidence to suggest that the information has been used any further and the company did not store any bank details.”
The data breach also highlights the risks associated with customers using the same password for all their online accounts.
Sally-Anne Poole added:
“This one incident could potentially have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question. It’s important to use a unique, strong password for each separate account; preferably a combination of numbers and letters – not a name or dictionary word.”
The company has committed to address the issues of data protection and has already decommissioned the servers in question and implemented a new hosting infrastructure.
The undertaking provides:
- Office Holdings Ltd is the data controller as defined in section 1(1) of the Data Protection Act 1998 (the ‘Act’), in respect of the processing of personal data carried out by Office and is referred to in this Undertaking as the ‘datacontroller’. Section 4(4) of the Act provides that, subject to section 27(1) of the Act, it is the duty of a data controller to comply with the data protection principles in relation to all personal data in respect of which it is a data controller.
- The Information Commissioner (the ‘Commissioner’) was informed on 29 May 2014 that a member of the public had hacked into an unencrypted historic Office database that was being stored on a legacy server outside the core infrastructure of the current website. This individual had managed to gain potential access to personal data relating to over a million Office customers, including contact details and website passwords. However, the data controller has confirmed that it does not store customers’ bank details, so financial information was not compromised. Moreover, there is no evidence to suggest that the information accessed has been further disclosed or otherwise used.
- The data controller explained that there were several technical measures in place to minimise the risk of such an attack, although the hacker managed to bypass these measures to gain access to the legacy servers undetected. Office has also confirmed that whilst penetration tests were carried out on the new websites before migration, only a single such test was completed on the old system, the results of which were not concluded or recorded, due to the legacy system being in the process of being decommissioned.
- Office has explained that removing the historic customer data from the database before migration to the new system was believed to add complexity and a material risk of data mismatches, operation downtime and customer disruption,so as to put the project at risk. However, Office has since accepted that in hindsight, the risks of removing these details before migration were less than originally thought. As such,it would appear that the retention of this historic data, some of which may now be inaccurate, was over-cautious and not strictly required. However, amongst other remedial measures taken by Office since the incident, the servers in question have now been decommissioned, and a new hosting infrastructure is in place.
- At the time of the incident, Office’s public facing privacy policy did not contain any specific reference to retention periods, and no formal data protection training was provided to staff. Office has since confirmed that both these matters are being addressed and that new policies will be formalised early in 2015.
- The Commissioner has considered the data controller’s compliance with the provisions of the Act in the light of this matter. The relevant provisions of the Act are the fifth and seventh Data Protection Principles. These Principles are set out in Schedule 1 Part I to the Act.
- Following consideration of the remedial action that has been taken by the data controller, it is agreed that in consideration of the Commissioner not exercising his powers to serve an Enforcement Notice under section 40 of the Act, the data controller undertakes as follows:
The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation,ensure that personal data are processed in accordance with the fifth and seventh Data Protection Principles in Part I of Schedule 1 to the Act, and in particular that:
-
the data controller shall ensure that all of its websites and servers are subject to regular penetration testing;
-
the data controller shall implement its new data protection policy documents within three months of the date of this Undertaking. These should link to or include a retention and disposal policy for customer data, the requirements of which should be monitored on an ongoing basis;
-
the data controller shall provide formal data protection training to all Office employees and should introduce regular refresher training to reinforce this provision;
-
the data controller shall implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss,destruction, and/or damage, and to ensure that any such information is only retained for as long as necessary in relation to the purposes of the processing.
[…] UK company, Office Holdings Ltd, enters into undertaking after data breach […]